Check Point Details Handala Hack Persona and Evolving TTPs of Iranian MOIS-Affiliated Void Manticore
Check Point Research has published a detailed analysis of the Handala Hack persona, revealing the evolving tactics of the Iranian MOIS-affiliated threat actor Void Manticore, including the use of NetBird tunneling and AI-assisted PowerShell wipers.
Check Point Research (CPR) has released a comprehensive report detailing the modus operandi of Void Manticore, an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) that operates under the online persona Handala Hack. The group is known for conducting destructive wiping attacks combined with hack-and-leak operations, primarily targeting Israel and Albania, and has recently expanded its focus to include U.S. organizations such as medical technology giant Stryker.
Void Manticore, also tracked as Red Sandstorm and Banished Kitten, maintains multiple personas including Homeland Justice and Karma, which have been used in operations against Albanian government and telecom sectors since mid-2022. CPR notes that intrusions linked to all three personas exhibit highly similar tactics, techniques, and procedures (TTPs), as well as code overlaps in the wipers they deploy. The Handala persona emerged in late 2023 and has largely replaced Karma, becoming the dominant public-facing brand for the group's operations.
The group's TTPs have remained largely consistent from 2024 through 2026, relying on manual, hands-on activity within victim networks, off-the-shelf wipers, and publicly available deletion and encryption tools. However, CPR observed several newly observed techniques, including the deployment of NetBird for tunneling traffic into victim networks and the use of an AI-assisted PowerShell script for wiping activity. The actor continues to rely on commercial VPN services and open-source software, making indicators short-lived and difficult to track.
Initial access is typically achieved through supply chain attacks targeting IT and service providers, with the group compromising VPN accounts. CPR identified hundreds of logon and brute-force attempts against organizational VPN infrastructure originating from commercial VPN nodes. Following the internet shutdown in Iran in January 2026, the group began using Starlink IP ranges for connectivity, and in some cases has connected directly from Iranian IP addresses, indicating a decline in operational security.
In a recent intrusion attributed to Handala, initial access was established months before the destructive phase, suggesting the group maintains persistent access over extended periods. The actor has historically collaborated with Scarred Manticore, another Iranian threat actor, and has been linked to the MOIS Internal Security Deputy's Counter-Terrorism Division, which was reportedly under the supervision of Seyed Yahya Hosseini Panjaki, who was killed in Israeli strikes on Iran in early March 2026.
The report underscores the ongoing threat posed by Iranian state-sponsored cyber operations, particularly as they expand targeting to U.S. enterprises. CPR's analysis provides critical indicators and behavioral patterns that can help defenders detect and respond to Void Manticore intrusions, emphasizing the need for robust monitoring of VPN access and supply chain security.